What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?

We need to stop hoarding ancient technology. Retiring old, expensive, and increasingly ineffective technology is an oversight that needs to be fixed right now. For example, look at those organization still using user name and passwords for identity management and access controls. That was state-of-the-art in the 1970s and is easily defeated! Similarly, many organizations have firewall teams struggling to maintain tens of thousands of firewall rules associated with virtual private networks (VPNs). People love the encryption and privacy of VPNs yet they choke firewalls and neuter intrusion detection and protection systems. VPN technology is over twenty two years old. Now is time to retire ancient tech based on 20th century ideas and implement modern secure technologies such as software-defined perimeter capabilities that are less expensive, more effective, and simpler to operate and maintain.

What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?

The impact of the lack of personal cyber hygiene in our overall cyber security posture must be addressed more actively. I also think product developers and service providers should be more diligent in how they practice security on their platforms and in their products. Let’s do basic things like not allowing “Password” as a password on any system or forcing the purchaser of a product to change the default password to a more secure one before the product or service is activated. These are not expensive to do and will aid those who are not aware of cyber security vulnerabilities to make simple mistakes that create opportunities for exploitation. Cyber Security must be applied from all sides of the product chain.

What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?

I urge network system designers and builders to not only think about cyber security capabilities for securing their system’s data but to think about securing the other guy’s data as well.

Within an airport environment, there exists a complex, large scale, system of systems. Some examples of those systems operating within the airport eco-system include airline reservation systems, ground transportation systems (taxis, Uber, Lyft, shuttle bus), airline operation systems (check-in, baggage drop-off, gate operations), baggage handling systems, security systems, airport operations systems (ground support systems, aeronautical navigation and surveillance systems, aircraft ground handling systems) and terminal operations systems (concessions, communications). Today, many of these systems operate independently of each other. Although, for the airport to function successfully, it needs these systems to operate at a certain level of capability at a certain time. I think it is safe to say that this will not be the way of the future.

Let’s look at one vignette within the airport environment, the seamless and frictionless passenger journey. To get to that seamless and frictionless passenger journey everyone speaks of, some of the systems listed above will have to be integrated, or at the very least, be interconnected within the aviation security eco-system. This means that data from one network system (Uber or Lyft) will finds its way into the network of another system (airline operations) which will find its way into the network of another system (security systems) and so on. Since the data will be shared among the system of systems, system owners can no longer afford to design and build networks to the minimum security levels required by their own system. These networks need to be designed and built to the maximum security levels required by the most restrictive system owner (usually the Federal gov’t). If that doesn’t happen, there will be limited to no sharing of data (because the other guy’s network won’t be trusted) and ultimately no chance of a seamless and frictionless passenger journey within the airport.

What's the most pressing cybersecurity threat that is not getting enough attention and needs greater action?

The most pressing threat continues to be the consumer – the weakest link in the cyber chain. There are many opportunities for cybersecurity experts to enlist consumers as partners.

However, we don’t educate consumers well about what they should do to protect from cyber threats. Specifically, we could do a better job communicating a set of best practices. We should create a comprehensive, easily-understood set of steps for consumers to follow to execute those practices.

In addition, we don’t give consumers a central place to get advice for protecting all of the threat vectors they touch – in both their personal and professional lives. Even our regulatory efforts are not consumer-based. Our government regulates according to industry – but we don’t then consolidate disparate government and industry information into an accessible, consumer-focused platform that consumers interact with on a daily basis. In other words, we often don’t stop to look at this multi-pronged challenge from a consumer’s point of view, and give them the tools they need to help us all fight cyber threats. If we don’t mitigate this weakness, the potential of the Internet of Things – and the enormous economic benefits to our nation that come with it – could be vastly reduced.

What's the most pressing cybersecurity threat that is not getting enough attention and needs greater action?

It is difficult to point to one pressing cybersecurity threat that requires the greatest attention due to the fact that technology is such an integral part of every aspect of our life, from the most mundane such as a “personal speaker device for daily reminders” to the most sensitive SCADA control systems that govern the electrical grid. The July 2018 Testimony by the Comptroller General of the US before the Subcommittees on Government Operations and Information Technology, Committee on Oversight and Government Reform, regarding Urgent Actions Needed to Address Cybersecurity Challenges Facing the Nation, articulated a good summary assessment and list of actions needed to improve the nation’s cyber security efforts. If the federal government addressed those priorities we would go a long way in securing the nation. However, as a former Assistant Secretary for Infrastructure Protection and a CEO of a public company, asked to identify one single action to bolster cybersecurity, it would be serious, committed and sustainable leadership across the nation; federal, state and local government, the private sector and our communities to address the growing threat to our nation from the proliferation of data that could be exploited by Artificial Intelligence (AI) by nation states and rogue actors. The challenge of securing cyber infrastructure has evolved from the early days of securing corporate networks and encrypting email to securing every piece of technology that has integrated with our daily life. Today, IoT devices and apps collect every piece of data about our movements, opinions, habits, friends, schedules, medical information and virtually everything about us, our companies, our governments. Combine that with the OPM breech and the litany of health and credit information breeches and we have few secrets as individuals. Literally, virtually anything can be known about an American citizen with a few key strokes. Add to that an AI capability that has the promise to create efficiencies, analyze data, predict behaviors and identify vulnerabilities beyond the capacity of any person and it will have a profound impact on our lives and security. Consequently, we (as well as our biggest technology competitor – the Chinese) are creating the ability to weaponize data which can be used against us in ways we can only imagine but will regrettably experience in the years to come. We are in a cyber arms race that is unprecedented. The weapons of that arms race are the technologies, both hardware and software that our industry is creating and refining daily. Combined with the new nuclear fuel (data) the ability to use the cyber weaponry with surgical precision to disable and impact our life as we know and enjoy it is a reality. This is a national security threat that is on par with the threat posed by nuclear weapons. The significant difference is while we may not experience physical destruction on the magnitude of a nuclear strike, there are few barriers to entry into the cyber arms race and as we have seen, few resources need to be applied to have a significant disruptive effect on our nation’s security. This threat needs to be taken seriously by national, state, local, business leaders and our communities. US leadership across government and private sector is critical if we are going to protect the sovereignty of our nation and its citizens. We need robust mechanisms to protect our information and privacy to ensure that Americans can enjoy the benefits and conveniences of technology without compromising our personal, corporate and nation’s information and fueling the cyber weapons of the future.

What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?

One fix? No question: Validate that the security controls you have – the people, processes and technologies in place – to address your security needs actually operate as intended. At The Chertoff Group, our watchword is “effectiveness.” We conduct assessments on countless clients and, more often than not, observe that security tools have not been implemented correctly, properly tuned, and have not been configured to effectively protect the network. Test, test, and re-test that the security professionals you employ are capable and knowledgeable, that the security governance and processes in place operate efficiently and effectively, and that the tools you’ve purchased are providing the security functions intended of them. This can be done in-house or, we’d recommended, by an independent, outside party who are security experts and fully specialize in security assessments and recommending remediations.

What's the most pressing cybersecurity threat that is not getting enough attention and needs greater action?

I am concerned about the growing potential for cyber attacks that are intended to manipulate and alter data (instead of stealing it) with the objective of causing reputational damage to governments, companies and individuals. And as social and transactional platforms and systems become more reliant on artificial intelligence and machine learning, there are also risks that input data and algorithms used by these systems could be altered, leading to broad-based economic disruptions and harm to groups and individuals. One key priority in addressing these threats will be educating the news media and other validators of information about the potential for false, manipulated data, and ensuring that processes are in place to reduce its amplification and harmful impact on public trust.

What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?

Cyber technology companies are protecting America, but policymakers have long needed to do more to protect them. Organizations confront relentless, often state-sponsored, cyberattacks. Industry continues to provide cutting-edge security for the common good but lacks effective government safeguards. This problem is not receiving sufficient attention, but Congress can act.

S.2392, the Cyber SAFETY Act of 2018 (CSA), would incentivize companies that offer technologies to prevent a cyberattack to take their product or service through the Department of Homeland Security’s rigorous SAFETY Act vetting process. CSA would clarify that SAFETY Act protections apply to a significant cyberattack regardless of the illicit actors’ motivations. In doing so, SAFETY Act labeling, such as a designation or certification, would foster the voluntary development, purchase, and deployment of cutting-edge cyber technologies in threatening online environments.

CSA does not absolve businesses of liability. Rather, the legislation would create a carefully balanced approach to managing cyber risk and minimizing costly litigation. CSA would increase the likelihood that leading cyber technologies would be deployed because SAFETY Act protections are extended to the sellers and buyers of CSA technologies.

What's the most pressing cybersecurity threat that is not getting enough attention and needs greater action?

Just as a chain is only as strong as its weakest link, a security system is only as strong as its greatest vulnerability. For many cyber systems and databases, whether personal, commercial or governmental, the greatest vulnerability is an individual’s point-of-access. There’s always been a tension between tight security and convenience.

Most system managers try to strengthen account security by requiring parameters that will result in stronger access passwords (like upper/lower case, numbers, symbols, etc.). All too often, account users are inundated with a myriad of accounts, each requiring complex passwords, and many of which must be changed every 60-90 days. To simplify and manage their iist of passwords, many users will use a simple or favorite password for multiple accounts and thereby exposing their networks to greater risk.

One trend to ensure greater account security is to require “two-factor identification.” This is helpful, as a series of substantial hurdles can greatly raise the bar for hackers. But it’s not fool-proof.

Another trend is to employ biometric systems, which use a distinct personal body attribute to verify an identify (such as a fingerprint, an iris, a facial profile or a heart beat) are gaining traction. These systems too are not completely hack-resistant. (In fact, famed hacker Jan Krissler was able to recreate the fingerprint of the German Minister of Defense using high-resolution photos of the politician’s thumb from press conferences and then reconstructing the thumbprint using VeriFinger software.) Nevertheless, a successful hack of an individual’s account is not scalable and usually won’t be worth the effort.

Yet, as fortune.com noted, large-scale biometric data can also be hacked, such as the 2015 breach of the fingerprints of some 5.6 million people from the federal Office of Personnel Management (OPM). And that kind of damage can be long-lasting….as you can change your password, but you can’t change your fingerprint.

While progress in security for individual account access is being made, more needs to happen, faster. Many recognize the vulnerability and some will say that the needed changes will be expensive, but they can’t be ignored. Yes, it’ll be difficult. And, yes, it’ll be hard. But, until the investment decisions are made to enhance account security, we remain very vulnerable to attack.

What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?

The cyber world is a complex network-of-networks, and stovepipes abound. In such a networked environment, vulnerabilities and threats can also be linked across the broader network. Protecting such a network requires a networked defense-effort.

Though some in government and business have formed partnerships and coalitions to advance their collective defense, too many agencies and companies remain disconnected and stove-piped. The cyber seams that separate companies and agencies with common interests need a networked defensive plan, just as defensive-schemes are developed for the seams on a football field or the basketball court.

What happens if the entire northeastern electric grid is attacked and taken-down? What are the priorities for restoring power? What happens when we can’t pump gas or withdraw our money from an ATM machine? What if the registers no longer work and we can’t buy groceries? What happens to critical infrastructure like power plants and utilities? Or water treatment plants?

A joint effort certainly won’t eliminate the threats or completely address the network vulnerabilities, but could go a long way to mitigate the damage from a successful attack.

Those overseeing cyber systems and databases need to be proactive in identifying and then addressing these seams of vulnerability. Now. Before a successful breach.

What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?

Today’s threat environment is no longer static. In the high-threat world, aggressors are now focused on how to accomplish their attacks. It is the essential role of government to manage threats and deter intended consequences. Not only are assailants now engaging in ‘entrepreneur-like’ activities but also have the support of a vast array of technologies. It has become increasingly important for security specialists to not only answer questions of how, but also why, where, and why there.

Place matters, and, as such, population growth, alongside economic development, will inherently result in places prone to attack.

This is especially the case regarding cybersecurity, which permits a larger base of individuals to operate in a decentralized, networked manner. In the past year, local governments have been in fear of their operational and financial records being held hostage by a cyber-attack. Many localities do not have the expertise or cannot afford to upgrade their security protocols.

This is an area of needed discussion given that local government serves as the country’s largest employer, with more than 82,000 units. To this end, local authorities require advanced knowledge and training in becoming force multipliers to state and federal actors in critical infrastructure protection.

What's the most pressing cybersecurity threat that is not getting enough attention and needs greater action?

From my vantage point, the most significant cyber threat is not the latest and greatest cyber weapon. Nor is it a new tactic, technique or procedure being wielded or deployed by a long list of Advanced Persistent Threat (APT) actors. All these are important and demand immediate action. But the most pressing requirement from my perspective is figuring out how to best integrate cyber into our national and economic security planning and operations. It’s about governance and statecraft. Cyber is no longer relegated to the kiddie table. It is integral in everything we do as a country, business, educational institution, and as individuals. While cyber is its own domain – demanding new ways to wield power including enabling commerce, prosecuting and fighting wars, and engaging allies and adversaries diplomatically – it also simultaneously transcends the traditional orbits of air, land, sea and space. Marshalling and mobilizing the instruments of power and statecraft is tantamount to future success. The countries that do so effectively will lead while those that don’t will march to someone else’s drum.

Director of National Intelligence Dan Coats was right when he characterized the system as “blinking red” in terms of cyber threats. So was Secretary of Homeland Security Kirstjen Nielsen when she warned, “We are in crisis mode. A ‘Cat 5’ hurricane has been forecast and now we must prepare.” Their forceful proclamations underscore both the breadth and depth of the cyber threat.

A first order of business calls for shifting from a reactive to a more proactive posture. Business as usual – constantly swatting down the crisis or backfilling the vulnerability du jour – is doomed for failure. As of now, and likely for the foreseeable future, the initiative remains with the cyber attacker. They will continue to have first-mover advantage over the defender. It is increasingly clear that we cannot simply “firewall” or defend our way out of this problem. A more forward-leaning posture that is supported and underpinned by similar strategies and tactics is needed. For too long, our cyber-adversaries have had the run of the field, without the imposition of timely and severe consequences designed to discourage further malicious (if not downright hostile) activities directed against the United States. Indeed, a robust deterrence strategy has been the primary element missing from the U.S. toolkit to date. Articulating and executing such a strategy must be a top priority in the days ahead, in order to expand the elements of statecraft that are at our disposal for the purpose of containing and dissuading the most significant cyber threat actors.

What is the one cybersecurity oversight you see repeatedly that you’d urge people to fix now?

Cybersecurity is too often viewed by public policy makers and business leaders as a niche area solely under the responsibility of IT professionals who simply need the latest in software and other technology to protect networks, systems, and data. This approach ignores the critical “human factor” in effective cybersecurity, which includes prepared people and well-documented and understood policies and procedures.

In so many cases, the weakest link in cybersecurity is a poorly or inadequately trained employee or executive who succumbs to social engineering techniques that end up exposing the entire business or government enterprise to malicious actors. Until we better address the human factor through consistent and effective training, education, and testing, and link those efforts with strong policies, procedures, and technologies, our networks, systems, and data will continue to be at high risk.

What's the most pressing cybersecurity threat that is not getting enough attention and needs greater action?

The amount of information considered critical or “cannot do without” in our everyday lives is growing at a rate that is hard to comprehend. Our economy is transforming from just-in-time to on-demand. Just like big data analytics drove just-in-time economies, information analytics will drive the on-demand economy.

It used to be that data was the answer. If I had enough of it, I could make more informed decisions and be more competitive. On-demand is a completely different animal all together. In order to support the on-demand economy data has to be paired with information services that drive the consumer and the provider into mutually beneficial relationships – Airbnb being a great example. These information services include advanced location services, preferences, weather, IOT sensors and the list goes on and on and continues to grow almost daily.

All of the above gives rise to what may be the most under-appreciated cyber vulnerability – the information itself. From elections to ad warfare, peddling in influence is misleading and in many cases profitable. The ability to distinguish human from bot in a digital world is required in order to protect the validity of information or service provided. No longer can we simply increase the security of the network but, equally important, we need to focus on protecting the integrity of the information on these networks to ensure that influence is not served up to the unsuspecting millions by automatous.